- edited description
Signed Request Object Authentication Requirements
Hi,
JWT Assertions have requirements that are not met by the Signed Request object. https://tools.ietf.org/html/rfc7523#section-3 e.g. "The JWT MUST contain an "exp" (expiration time) claim"
https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject
Can we use the signed request object for Client Authentication in CIBA without meeting these requirements? https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#auth_request
cheers Axel
Comments (6)
-
reporter -
I reckon that JWT assertions is nothing to do with Signed Request Object regarding this aspect. An assertion is something that you have got about or you know (self-issued) and you want to show it as a grant to get an access_token, so it needs to be valid only for an specific time. However the request object in spite of the fact that is a JWT that you can sign as well, it doesn't need to demonstrate that it is valid within a period of time.
-
reporter An administrator at the OP could steal the signed request object and use it to issue a fake CIBA authentication request impersonating the client. Limiting the lifetime of the authentication token reduces this risk.
Coming from an OAuth2 world where client_secrets are good enough this does not add much security to rogue administrator scenarios but...
-
reporter - assigned issue to
-
reporter - changed component to CIBA
-
- changed status to resolved
The CIBA signed authentication request now requires
exp
,iat
,nbf
, etc. and is used optionally in addition to regular client authentication when making a request to the backchannel authentication endpoint. I'm not completely sure what is being asked for in this ticket but it seems like that stuff maybe covers it. - Log in to comment